Page 65 - Cyber Defense eMagazine June 2020 Edition
P. 65
Lifting Physical Security Measures to the Cloud Is a Failed Strategy
Consider the days when on-premise datacenters were full of physical servers. To verify the security state
of those machines, administrators had two options: run code on each via a software agent, or scan every
system from the network to look for vulnerabilities, misconfigurations, and other risks. When businesses
began to move their workloads to the cloud, these same security technologies were merely lifted and
shifted.
Organizations ended up having both an agent – the same agent from the on-prem days bolted on to the
cloud – as well as the same scanners. But those tools weren’t reimagined to support the unique
characteristics of cloud computing, thus the limitations of agents and scanners were magnified on the
new platform.
While agents can see everything that happens, they have to be installed on every machine to be scanned.
This simply isn’t practical in a cloud environment that uses ephemeral servers, containers, and serverless
workloads that burst into existence for a short time and then disappear just as quickly. No human—and
perhaps not even automation tools—can keep track of software agents and ensure they’re consistently
installed in such a dynamic environment. What’s more, the high cost and complexity of agent deployment
and maintenance, as well as friction with DevOps teams, make agent-based scanning totally unsuitable
for the cloud.
As for network scanners—which are essentially whitelisted hacking tools—visibility is critically limited to
just those assets that are already known and accessible. Moreover, scans put data integrity at risk, use
significant system resources during test procedures, and completely miss some assets and risks because
they simply aren’t visible or accessible.
New Tools Address (Some) Cloud Security Needs
With legacy security tools leaving gaps, new cloud-native tools attempt to fill the need to assess risk in
cloud estates. For example, Cloud Security Posture Managers (CSPMs) verify that cloud configurations
are following security best practices and compliance standards such as the CIS framework, Azure and
GCP benchmarks, and PCI DSS or HIPAA guidelines. While CSPMs do look at configurations unique to
cloud environments, at best they provide shallow coverage because they don’t go inside machines, but
rather view them from the outside.
Cloud platform hosts provide a number of security tools exclusive to their own environments. Amazon,
Google, and Microsoft all offer tools/services to detect threats, analyze application security, investigate
potential security issues, discover unprotected keys and sensitive data, identify non-compliance with
security frameworks and regulations, and more. Third-party vendors also provide tools—many of them
retreads from the on-premise environment—in each of these areas.
The key issue with such tools is that they only provide a partial view into your cloud estate’s risks and
vulnerabilities. An organization must deploy multiple tools or services to get the full picture, and even
then it’s not a holistic view. Each tool performs its own vulnerability detection and getting them all to
communicate with one another and provide clear context regarding each finding is nearly impossible.
Cyber Defense eMagazine –June 2020 Edition 65
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.